Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities.
A Basic Guide to HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI).
HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures.
The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to help organizations understand how HIPAA applies in practice.
Recently the OCR, in conjunction with the Medicare Learning Network, has released new guidance covering the basics of HIPAA compliance, explaining the fundamentals of the HIPAA Privacy Rule, Security Rule and Breach Notification Rule, summarizing the main elements of each. The basic guidance can be downloaded from the HHS website. A more comprehensive guide is available here.
Basic Guide to HIPAA Compliance: Essential Elements of HIPAA Explained
The basic guide to HIPAA compliance condenses the main points of HIPAA into a 7-page document. It explains what Protected Health Information is, the organizations that must take steps to protect that information, and the timescales for reporting data breaches. It also includes useful quick references where covered entities can find out more information.
Often the basic elements of HIPAA Rules are not adhered to, leading to OCR financial penalties. While covered entities are not expected to prevent all unauthorized disclosures of PHI, they must implement appropriate protections to minimize the risk of patient privacy being violated.
During the pilot phase of the OCR HIPAA compliance audits, covered entries were assessed on compliance with Security and Privacy Rules. The results of those audits clearly demonstrated that the majority of audited entities had not implemented the minimum data security and privacy standards required by HIPAA.
Compliance with these rules is more important now than ever, with hackers and malicious insiders accessing, copying and sharing patient data for financial gain like never before. Covered entities must repel these incessant attacks and keep ePHI secured; however, sooner or later one of those attacks will be successful. It is therefore essential that breach response policies are in place, and that they can be implemented immediately upon discovery of a data breach. The OCR appears to be concentrating on the breach response, to ensure that when ePHI is exposed, risk is mitigated quickly.
The Importance of a Fast, Efficient Breach Response
The OCR understands that even when protections are put in place, breaches can still be suffered. Financial penalties and corrective action plans are therefore not always necessary, but a failure to conduct a prompt breach response and mitigate risk is almost certain to result in action against the covered entity in question.
The breach response is not necessarily a quick process. When a hacker breaks through security defenses, it is not always clear which areas of a network have been accessed, the patient data that was potentially viewed or copied, and which patients are at risk of fraud and identity theft. Forensic investigations must be conducted, and all too often, a covered entity is required to draft, print and mail millions of breach notification letters. This can take a considerable amount of time, and the 60 day time frame for alerting patients and reporting the incident elapses fast.
In the OCRs basic guide to HIPAA compliance, covered entities are reminded of the timescales for responding to breaches. The reporting requirements included in the basic guide to HIPAA compliance have been detailed below:
HIPAA Breach Notification Deadlines
Provide Notification to…
Breaches involving fewer than 500 individuals
Breaches involving more than 500 individuals
|Individuals||No later than 60 days after discovery of a breach||No later than 60 days after discovery of a breach|
|HHS||Submit a log of all breaches once a year, no later than 60 days after end of calendar year||At same time as notice to individuals, no later than 60 days from discovery|
|Media||N/A||No later than 60 days from discovery|
OCR Penalties for HIPAA Breach Notification Violations
A failure to execute a prompt breach response can result in financial penalties being issued by the OCR, State Attorneys General, and other government agencies. Under HIPAA (and HITECH) the penalties for breach notification violations can be severe. A fine of up to $1.5 million can be issued by the OCR, and state attorneys general can fine violators for falling to notify state residents within a reasonable time frame. Covered entities should note that delaying breach notices unnecessarily, even when the 60-day breach deadline is not exceeded, can also result in fines being issued. HIPAA legislations sets a deadline, but also states that notification letters must be sent “without unnecessary delay.”
|Covered entity did not know (and by exercising reasonable diligence would not have known) an act was a HIPAA violation.||$100-$50,000 for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.|
|Reasonable cause, yet not a result of willful neglect||$1,000-$50,000 for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.|
|A HIPAA violation resulted from willful neglect of HIPAA Rules, but the violation was corrected within the required time period.||$10,000-$50,000 for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.|
|The HIPAA violation was due to willful neglect and no effort was made to correct the issue.||$50,000+ for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.|
Criminal penalties may be appropriate, such as when employees of HIPAA covered entities improperly access ePHI. In recent months there appears to have been an increase in the number of individuals found to have accessed, disclosed or used ePHI, and the Department of Justice is taking action. Violators of patient privacy can, and are, being sent to jail for HIPAA violations.
The criminal penalties permissible under HIPAA are indicated below:
HIPAA Criminal Penalties
|Unknowing violation or with reasonable cause||Up to 1 years in jail|
|Access under false pretenses||Up to 5 years in jail|
|Access for personal gain or with malicious intent||Up to 10 years in jail|
Any would be data thief should note that while charges can be filed under HIPAA, potentially resulting in up to 10 years in prison, sentences may in fact be longer. Individuals found to have accessed and used PHI/PII may not necessarily be charged under HIPAA laws. Conspiracy to commit wire fraud, for instance, carries a maximum penalty of 20 years in prison, while aggravated identity theft carries a mandatory 2 year term in jail, which must run consecutively to any sentence issued.
HIPAA Sets Minimum Standards: State Laws May Set Stricter Breach Reporting Standards
HIPAA legislation is periodically updated, but state laws change much more frequently. Over the past 12 months a number of states have introduced even tougher data breach laws, requiring HIPAA-covered entities, and other holders of sensitive data, to notify breach victims faster. Risk mitigation strategies are also now covered by certain state data breach laws, and organizations and individuals that expose data are required to take greater precautions to keep state residents protected.
Compliance with HIPAA Rules may not be sufficient to avoid data breach fines, so it is essential that CISOs, CIOs and IT professionals keep up to date with state data breach legislation updates.